Failed to decrypt Account Credentials

Question
1

After i update the app to 5.6.6.0 the service canot start autoamtiacaly…

if i ceck the srvices than is no service CertifySSL listed…

if i try start service manualy from
C:\Program Files\CertifyTheWeb\CertifySSLManager.Service.exe

than come this errors: Failed to decrypt Account Credentials

Configuration Result:
[Success] Name Certify.Service
[Success] DisplayName Certify SSL Manager Service
[Success] Description Certify SSL/TLS Manager Service
[Success] ServiceName Certify.Service
Topshelf v4.3.0.0, .NET Framework 4.8.4480.0 (4.0.30319.42000)
[12:40:39 INF] Logging started: Information
Native library pre-loader is trying to load native SQLite library “C:\Program Files\CertifyTheWeb\x64\SQLite.Interop.dll”…
[12:40:39 INF] Performed db backup to C:\ProgramData\certify\manageditems.db.bak. To switch to the backup, rename the old manageditems.db file and rename the .bak file as manageditems.db, then restart service to recover.
[12:40:40 INF] Certify Manager Started
[12:40:40 ERR] Failed to decrypt Account Credentials [letsencrypt.org_Production] Failed to decrypt Credential [6c9889c6-1b51-4853-bac9-e51a87f38542] - it was most likely created by a different user account.
The Certify.Service service is now running, press Control+C to exit.
[12:40:56 ERR] Failed to decrypt Account Credentials [letsencrypt.org_Production] Failed to decrypt Credential [6c9889c6-1b51-4853-bac9-e51a87f38542] - it was most likely created by a different user account.

2

This mostly likely means that at some point you changed the Certify background service to run as a different user, so after the update the service reverted back to Local System and it’s can’t decrypt the account information.

Running the service as a different user is not supported, but you can do it if you understand the implications and can manage them yourself.

3

Note that you could just delete the existing Let’s Encrypt account under Settings > Certificate Authorities and adda new one, that way it will be encrypted using the current service user, but if you have any other saved credentials (DNS credentials etc) they will also be locked to the other user and you’d need to replace those. You’d also have to verify the files under C:\ProgramData\certify are all writeable by the correct user.

4

we dont change nothing :frowning: but i want to chcek which profile is loged in program and now i see the problem… here is no info about account… and admin which make this before dont give to me any login data :frowning: what we can do?

5

You didn’t change anything intentionally but the previous admin who set the app up did set the service to run as a different user. Either that or Local System has lost it’s Windows DAPI keys, which is unlikely.

It’s ok, you don’t need to know what the details of the old account were, just go to Settings > Certificate Authorities and add a new account (select Let’s Encrypt as the certificate authority, which it is by default). You should use an email address that’s real and monitored because renewal failure messages etc go to that address. You can delete the old Let’s Encrypt account if it’s currently shown.

Let’s Encrypt accounts don’t have a password, instead they have the private key file which is automatically generated and stored on your machine.

When you then request your managed certificate again (click “Request Certificate”) it will use your new account.

6

Thanks for help i will try soon when i will be in office, one more question is about the automatic start of service, if i check the list o services i dont see the listed sercvice CertifySSL

service
service1920×900 213 KB

7

Can somebody help me over teamviewer? i will pay no problem. I dont want to make any error…

Screenshot 2022-03-22 at 08.25.40
Screenshot 2022-03-22 at 08.25.401920×1084 229 KB

from yesterady does not work all things conected to OWA - also i canot login to exchanhe administartion…

Screenshot 2022-03-22 at 08.31.23
Screenshot 2022-03-22 at 08.31.233900×1912 338 KB

Screenshot 2022-03-22 at 08.39.47
Screenshot 2022-03-22 at 08.39.471920×1024 151 KB

8

in this case i also dont know how to change user for certify background service :frowning:

9

Thanks, you are correct that the local services screenshot does suggest that the machine you are looking at does not have Certify The Web installed. You do not have to change the background service under normal circumstances, so don’t do that.

I’m afraid we do not provide consultancy services, we can only help with our own app.

Your OWA error (HMACProvider) sounds like this one : https://docs.microsoft.com/en-us/answers/questions/476090/ex2019-cu10-owaecp-not-working-after-july-security.html

And that seems to be caused by an expired certificate but possible not the one that Certify is managing. Instructions to resolve that issue are here: Can't access OWA/EAC with expired OAuth certificate - Exchange | Microsoft Docs

10

on this machine is the certify the we installed… yesterday i make update to actual version but still does not work…

if i start the service manualy than i can also start the certify UI

i am searching solution how to start again the Certify SSL Manager service.

11

The Certify background service should be set to automatically start.

Log files are stored under C:\ProgramData]\certify\logs and there should be a file called service.exceptions.log - check that to see if there are any errors, it should normally say:

[22/03/2022 2:05:49 PM] :: Service API bound OK to http://localhost:9696

I’d predict that there is a problem with the file permissions on some of the files under C:\ProgramData\certify - all the files need to be readable and writeable by Local System which they normally are, but because a different user was originally used there may be conflicts.

12

i dont know why the service does not start automaticaly. in this case was not replaced cetificated in Eschange Server.

ex
ex1994×694 196 KB

log file of certify looks ok

Screenshot 2022-03-22 at 11.47.28
Screenshot 2022-03-22 at 11.47.281386×916 237 KB

floder C:\ProgramData\certify have setup readable and wrieable permition.

and if i start the service come again info about diferent user account

Screenshot 2022-03-22 at 11.59.24
Screenshot 2022-03-22 at 11.59.241354×684 220 KB

here is also log of certificate and also looks ok

2022-03-20 09:18:20.011 +01:00 [INF] ---- Beginning Request [Default Web Site] ----
2022-03-20 09:18:20.057 +01:00 [INF] Certify/5.6.2.0 (Windows; Microsoft Windows NT 6.3.9600.0)
2022-03-20 09:18:20.932 +01:00 [INF] Beginning Certificate Request Process: Default Web Site using ACME Provider:Certes
2022-03-20 09:18:20.932 +01:00 [INF] Requested identifiers to include on certificate: webmail.website.com;autodiscover.website.com;autodiscover.website4.com
2022-03-20 09:18:20.932 +01:00 [INF] Beginning certificate order for requested domains
2022-03-20 09:18:21.870 +01:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2022-03-20 09:18:23.307 +01:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/113646614/73022106190
2022-03-20 09:18:23.636 +01:00 [INF] Fetching Authorizations.
2022-03-20 09:18:24.651 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/89566303410/ZBjYGg
2022-03-20 09:18:24.979 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/89566303410/24hkKQ
2022-03-20 09:18:25.636 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/89566303420/P_94kg
2022-03-20 09:18:25.964 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/89566303420/AlPFlA
2022-03-20 09:18:26.604 +01:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/89566303430/inaRIQ
2022-03-20 09:18:26.932 +01:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/89566303430/GhMWMA
2022-03-20 09:18:28.229 +01:00 [INF] Http Challenge Server process available.
2022-03-20 09:18:28.229 +01:00 [INF] Attempting Domain Validation: webmail.website.com
2022-03-20 09:18:28.229 +01:00 [INF] Registering and Validating webmail.website.com
2022-03-20 09:18:28.229 +01:00 [INF] Preparing automated challenge responses (webmail.website.com)
2022-03-20 09:18:28.260 +01:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://webmail.website.com/.well-known/acme-challenge/u5gbKT0H9qVpqSSYJ-Hehz7NBFL_ROTEBPrOO0qDG20 with content u5gbKT0H9qVpqSSYJ-Hehz7NBFL_ROTEBPrOO0qDG20.eOeyxg8eSaBQnABAJb5rTmZAy6FsjzDwkeK1TYv4ou8
2022-03-20 09:18:28.260 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2022-03-20 09:18:28.667 +01:00 [INF] Using website path C:\inetpub\wwwroot
2022-03-20 09:18:28.682 +01:00 [INF] Requesting Validation: webmail.website.com
2022-03-20 09:18:28.682 +01:00 [INF] Http Challenge Server process available.
2022-03-20 09:18:28.682 +01:00 [INF] Attempting Domain Validation: autodiscover.website.com
2022-03-20 09:18:28.682 +01:00 [INF] Registering and Validating autodiscover.website.com
2022-03-20 09:18:28.682 +01:00 [INF] Preparing automated challenge responses (autodiscover.website.com)
2022-03-20 09:18:28.682 +01:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://autodiscover.website.com/.well-known/acme-challenge/jop5QOnyJlCUBMOtN3NCrLBJTeQdpbNb3c0gXNRO2cQ with content jop5QOnyJlCUBMOtN3NCrLBJTeQdpbNb3c0gXNRO2cQ.eOeyxg8eSaBQnABAJb5rTmZAy6FsjzDwkeK1TYv4ou8
2022-03-20 09:18:28.682 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2022-03-20 09:18:28.729 +01:00 [INF] Using website path C:\inetpub\wwwroot
2022-03-20 09:18:28.729 +01:00 [INF] Requesting Validation: autodiscover.website.com
2022-03-20 09:18:28.729 +01:00 [INF] Http Challenge Server process available.
2022-03-20 09:18:28.729 +01:00 [INF] Attempting Domain Validation: autodiscover.website4.com
2022-03-20 09:18:28.729 +01:00 [INF] Registering and Validating autodiscover.website4.com
2022-03-20 09:18:28.729 +01:00 [INF] Preparing automated challenge responses (autodiscover.website4.com)
2022-03-20 09:18:28.729 +01:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://autodiscover.website4.com/.well-known/acme-challenge/DIMnFkegIxLcVJiA0ey-G3dNTvf8cItrf1ZtA2Tzcjc with content DIMnFkegIxLcVJiA0ey-G3dNTvf8cItrf1ZtA2Tzcjc.eOeyxg8eSaBQnABAJb5rTmZAy6FsjzDwkeK1TYv4ou8
2022-03-20 09:18:28.729 +01:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2022-03-20 09:18:28.776 +01:00 [INF] Using website path C:\inetpub\wwwroot
2022-03-20 09:18:28.776 +01:00 [INF] Requesting Validation: autodiscover.website4.com
2022-03-20 09:18:28.839 +01:00 [INF] Attempting Challenge Response Validation for Domain: webmail.website.com
2022-03-20 09:18:28.839 +01:00 [INF] Registering and Validating webmail.website.com
2022-03-20 09:18:28.839 +01:00 [INF] Checking automated challenge response for Domain: webmail.website.com
2022-03-20 09:18:32.839 +01:00 [INF] Domain validation completed: webmail.website.com
2022-03-20 09:18:32.839 +01:00 [INF] Attempting Challenge Response Validation for Domain: autodiscover.website.com
2022-03-20 09:18:32.839 +01:00 [INF] Registering and Validating autodiscover.website.com
2022-03-20 09:18:32.839 +01:00 [INF] Checking automated challenge response for Domain: autodiscover.website.com
2022-03-20 09:18:34.135 +01:00 [INF] Domain validation completed: autodiscover.website.com
2022-03-20 09:18:34.135 +01:00 [INF] Attempting Challenge Response Validation for Domain: autodiscover.website4.com
2022-03-20 09:18:34.135 +01:00 [INF] Registering and Validating autodiscover.website4.com
2022-03-20 09:18:34.135 +01:00 [INF] Checking automated challenge response for Domain: autodiscover.website4.com
2022-03-20 09:18:35.432 +01:00 [INF] Domain validation completed: autodiscover.website4.com
2022-03-20 09:18:35.448 +01:00 [INF] Requesting Certificate via Certificate Authority
2022-03-20 09:18:39.620 +01:00 [INF] Completed Certificate Request.
2022-03-20 09:18:39.776 +01:00 [INF] Performing Automated Certificate Binding
2022-03-20 09:18:41.292 +01:00 [INF] Completed certificate request and automated bindings update (IIS)
2022-03-20 09:18:41.823 +01:00 [INF] Request completed
2022-03-20 09:18:41.823 +01:00 [INF] Request completed
2022-03-21 14:02:43.067 +01:00 [INF] All Tests Completed OK
2022-03-21 14:15:40.901 +01:00 [INF] [Preview Mode] Completed certificate request and automated bindings update (IIS)

Here is also UI.log

2022-03-21 14:05:57.697 +01:00 [ERR] An error occurred: Certify.Client.ServiceCommsException: Failed to communicate with service: http://localhost:9696/api/credentials: System.Net.Http.HttpRequestException: An error occurred while sending the request. —> System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 127.0.0.1:9696
at System.Net.Sockets.Socket.InternalEndConnect(IAsyncResult asyncResult)
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)
— End of inner exception stack trace —
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)
— End of inner exception stack trace —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Polly.Retry.AsyncRetryEngine.d__01.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Polly.AsyncPolicy1.d__13.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Net.Http.HttpClient.d__58.MoveNext()
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Client.CertifyApiClient.d__21.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Client\CertifyApiClient.cs:line 140
at Certify.Client.CertifyApiClient.d__21.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Client\CertifyApiClient.cs:line 153
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.Client.CertifyApiClient.d__64.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Client\CertifyApiClient.cs:line 549
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.UI.ViewModel.AppViewModel.d__19.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.UI.Shared\ViewModel\AppViewModel\AppViewModel.Config.cs:line 212
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.UI.Controls.Settings.Credentials.d__6.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.UI.Shared\Controls\Settings\Credentials.xaml.cs:line 41
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Certify.UI.Controls.Settings.Credentials.<UserControl_Loaded>d__9.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.UI.Shared\Controls\Settings\Credentials.xaml.cs:line 44
— End of stack trace from previous location where exception was thrown —
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
at System.Windows.Threading.DispatcherOperation.InvokeImpl()
at MS.Internal.CulturePreservingExecutionContext.CallbackWrapper(Object obj)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at MS.Internal.CulturePreservingExecutionContext.Run(CulturePreservingExecutionContext executionContext, ContextCallback callback, Object state)
at System.Windows.Threading.DispatcherOperation.Invoke()
at System.Windows.Threading.Dispatcher.ProcessQueue()
at System.Windows.Threading.Dispatcher.WndProcHook(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(DispatcherPriority priority, TimeSpan timeout, Delegate method, Object args, Int32 numArgs)
at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam)
at MS.Win32.UnsafeNativeMethods.DispatchMessage(MSG& msg)
at System.Windows.Threading.Dispatcher.PushFrameImpl(DispatcherFrame frame)
at System.Windows.Application.RunDispatcher(Object ignore)
at System.Windows.Application.RunInternal(Window window)
at Certify.UI.App.Main()

13

Screenshot 2022-03-22 at 12.13.42
Screenshot 2022-03-22 at 12.13.421920×672 191 KB

14

Two things are going wrong here - the service is messed up and the other cert you need is not related to Certify:

  • The certificate mentioned in this screenshot appears to be nothing to do with Certify The Web, it is a certificate used to for inter-server communication. Please consult the microsoft documentation or a qualified expert - we cannot provide support for general MS Exchange administration.
    image

In one of your screenshots you ran the service manually via a command prompt : do not do this.
image

You should only start/stop the Certify background service using the Local Services - not manually, if you start it manually [from a command prompt] then it’s running under your account which means the permissions an encrypted information will get messed up again.

I’d actually recommend that you just start again - uninstall the app, delete or archive C:\ProgramData\certify then install the app as normal and set it up again. You then also need to figure our the exchange certificate issue (Certify cannot order or manage certificates for local server names, so this was clearly self signed when it was created).